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D >TKIB rBD DOCUMENT VERSION CONTROI 



BACKGROUND OF THE INVENTION 
i - «. \ v u!su neo n 

{mm « u i - '» <■ ^ s w ua <. 

i ( v m tel., pto > 
jo s \ tKvt'oi'x.WJi Lwii fei\. s l v u*n f 

, x o K v > til [Vh! o>u uU 

0 x ; fOp<. „ document i , nufel imv! k . > 

, i, ms i t i i ilie offline 

ibr use in auditing cecums o; access. 



= 0003] Coi-veniiona'i doemnem suauagea-seut systems Oave 



eeiuded document 



ram) >sm * e uuu .> v >$. ^ uvd with documents dial dtew dnV cri - ^ ,>.u<ds 

\> cave o - . v. », >m us, and oc i\uffiomJ locura^ni * g ^iv t . 

3 U hi»de ignet U 0 ms at decamu ^ < 

a . x < - e « < system format to a format used by the sol m <k 

separate software p1ag-3B. required ' each integration with a document management system. 

Moreover, the extensible Rights Markup Language (XrML TM ) is being defined to 

theoretically allow a document viewing application to understand resources and permissions 

r , a t th t j es the XrML : " vi -ales 
|0004] . N ! <■ "cbeei u&edtv>s\s , ^ > < v 

. v ^ j mi oo a pei-docu i •> i f 

v ^ x ! d dovttmems. anU combined syraineitic 

encryption sotemes (e.g., Pretty Good Privacy (PGP™) encryption) that provide the ability to 
(v ^ \v th > i s ai > e ■> -s - o.d In the network 

j ,u - m > tot \t >. u th t cacme 

" , \ ! f \ M U. vlS v v O >i * * • 1 i 

i i ) e nccess Ptoto < ve vari< is 
systems *av« dso >xo\ it ed funct oxiaiitv to allov users to raid + K > rsioc of a 
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v. ' t»o e.ecmneut. mk> as m< » n * , N ^ <■ ^ Mara o t 1 i o^ «'hich 
vu'uos ^ <• k v» v., , .^m a t ^ a \ >^ 

ejioailnotificatioiiwhs - Diversion heat ich l<> mi n pdated therein 
email t i \ j n ^ ^ > O i k * J> « > 

document, 

SUMMARY OF THB INVENTION 

M JO i t^'XiU id St UU^Cd ckv O! X C 1 si 

v c- in '"i n n i < ; I 

, v v \u v » j i t.u»j jldtfcuooicdijcirj i ' i i * 

i Wt'M ^ 1 > > i - vtl US U S x i , V < > t 

to force the action to be taken with respect to the second electronic document Receiving the 
request can invoke recei ving, at a server, the request from a client to take the action with 
x e electronic document hedistrib ed etechonk docu en wring 

rtu\,vi .v. wtu eh nt ' Sen i >u „Ut is o. wu.d v ormalw r j \u>Ht Mi«i 
,isn viatv i,u a vd tttheservei Imparting the second document infonnatka* can 
im >h 5 it bo - a \J J v j icn* information from the sett er in the client. 
(0006] 'Relating &s second document information can involve sending the second 
\ >c«mei t ot nation to t is client to allow the client to obtain the second document 
jv ' ' 1 < t is v > a 

J ~i « " > ) ^ document to the t > nt. lire distributed and 

n » s * u ei sions of Joe r < 

iunul \ ergons of a document 
1000" kvcii t K ox ^' u nth ,u t» - ^ « 

v , t t , o« ^ , o ul itiu » t,.L.r»NOfv switun. 
soecirvum > the action is not permitted with respect to the distributed electronic document 
s _ \ ^.ons information !. r - ^ - - ^r^ions at a 

, j v > d ! ;\ -- o % ted v c i c v u oj 

s > i s s ! ; vs\aUu! 

j r !j 5 ^ i 1 vh U ! » ' 

, , < ov . ^c< ' tl d,p n < J v * 

identified user at the client. 

2. 
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[00081 Obtaining tie second electronic documeat ct^iavolv-e generating a feast i 

documents can be different bninat versions < i document. The distributed electronic 
<vem, > > 1 J ^ ! * - ^ 

of the software procmm. 1 ibe action < \ ruariing the sohware progoea, 

0(|i U 1 < U . i V I v , x -V i ! > > 

electronic document, vu. . the document lei i i ^ , i the requested action to . server 

astagthe address, and replacing fee distributed document, al b li \ J set 

, , < t , ^K-da,\!..:neuieauiovohc-o.^" t d Mu* ^ah 

respect to the second document. The second document can include fee address of fee server 

over the distributed document with the second document in i stora edevic 
|0010] vvCO ongA <3 olhex m i s t u r N 

locally rrtaamit distributed document contacting a document control server Identified from 
tee distributed document, and forcing use of a second document in place of the distributed 
i - v oil,-, oik 'i m n base < ! 

the document control server. The operations can also include obtaining the second document 
AS n i iiw oi fee received information can include the second 

document. Tire second document can be a later version of the distributed document, and 
i v < Josmfs the disuatnned u can e n , , 

second document. 

f 00111 Forcing use can also include transparently overwriting the distributed document 

inform iti rc sncoi tVing permissions relating the second document, with the distributed 
s distributed document can a -o - 

c he software program mdt nt actios 

■ 5S 0> 'UCCUb ^m . i 

i >L' vi tv>vU '| <- semi, equeor 

s to 'be talma wit respect to i st 

,s ^ * >l ! t K { > - S 

s ,v < lor io o ur , o ^vx mu I 1 » , » 



w ; or atton feeffig reused at the server and indicating a second 
i „ j ^ and associated n i< 
L r n ^ r t . v o 

J" cv V e u u betaken 

|8013) = -u server can include a server core v a- u,! i v - 

> »u a; provides fmiotionality across dytianiioally loaded 
i.yn.aj >aded externa erviee providers, including one or more access 

mimg the server, an ( - \v 
vd\?iy - ^ < »s v v .!\- and an. administration client, said s load balancer 
that routes client requests to the doe-ameni control servers, 

[00:14] The server can be a permissions-broker server including a trai sky on a n oponent 

. , , , ix i nn ^an be a doounenl ace r„o n ^ < n ^ ! s »o s 
n ,V o> v < . station component can be operable to translate first dosnmea*- 

oennissions information in a first ons d<. rrn *> format into second document- 

v , o a -wccnd permisskais-defhntion . format i esp i there s*. 

[001 S] The server can fee a permissions -broker server operable to obtain and send, in 
response to the request, a software program having instructions operable to cause one or more 

u- p ov -s s o perform operations effecting an autheatu - \ x e tre 1 n« 

client can use the authentication program to identify a current user and control the action wife 
\ , n a? \ based on the current, user and docuu.ien.t-pe.rmissio.ns 
x s 5 ^ v ^aood document 
'Hie server can. be a document control server operable to synchronize offline 

^ x > C X H t 1 

In.forrnadon can include a fust hey associated with a group, the first key being useable at the 
v x > ng a second key in the third document The 

client can allow access to the third document when offline, by a user as a member of the 
x v. a, q x n i > < i 1 » 

, , K 30 ei *d*d on docomeni-pernussioss information 

. so \ ^ fee third document 
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% o urn n:i':t-$2imms§& 
[00171 The investion can be implemented to realize one o \ i 
advantages. A document control system can be easily arid tightly imegrasoc * > 
enterprise mfxastmetox, such as document management systems, storage systems, and 
ttk dacct n < .it ? < rs of the dooiueera control s;ys em i i 
^ ^5™ mih* r <«*tw« with minimal amiovam ? < lim nxtf laiioi can 



system <s«»b§ deployed on multiple platforms and not be \ nei\ dec a pa nk 
platform. 

|0018| Functionality of a client can be pushed onro a serve? on ib >• 
management and deploy-tent 'by rain irnkdng the size and cornpleaity of the client application 
i „ „ .vent s opetattom can be ttrpiemented at the server without 
reqtutiagt i lenti cation system can aliens aiientieation 

, v iof o e-Usrvd d ' 1 1 inlhw i. ^ 
<xmKwh dhferem authentication mechanisms, including later developed authentication 



r\ < . nee ox by ro-amhemn 
a <» v fxv) - >< xi^ment A server administrator can. co: 

process «m be an o i ed into the client when authentication is to occur. The 

uu « i . , « i <. » v« -x mULpendent of document permissions and actions, and thus 

vis withom needing "v tah \ f <x 
v 1 , e uon 

l document control system can use an existing client application with its own 



miheemcm 



\WV)\ 



a > »a c <m . v. <. ot- m^a-' ^ x . ! .s^m v m 

^ uat >n rnuanne t u ^ 1 f 
, - o'" 05 server can en an . .. i ' 

Hie system can x c cv< j ds 
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i , SdiishHe to older formats of permissions a fellas 
10020] An offee .access .model can b*. » u im m > f i ^ < o >x h ^ 

< v . < t I i m o J Ot ^ > OtXK. *. OX ^ - - 

I . ■> OW CC^v. i *> 1 iv ^ ,> 

, ul fel ( ^ X - s 

j > ( < v ' c\ v.ed between v\her w^ 

, v mwu \ it- ex swem. Moreover, a bounded tinx an bo provided 
i " axl and when all c fe <hm f\\\>it-K xx w 
|002 ij Aakxama t information dt 1 echo } an bop? ded that automatical!} 

on ennremmg different versions of a document to bo accessed, A document 
can be tethered to a document cental system as described, and when the document is opened, 
the system can relate information concerning a different, document thai should be accessed 
kilows can k defined Such workflows can. ensure that users always 
have the latest version o f a document or provide customized user-dependent, document 
do! ivory. Viewing of a different document can be suggested to or forced on fee user, or both 

,i ! upon the document. 
[0022 x staiis of one or mote embodiment of the ho \ - < bin the 

lk osio ^ ' dr wings and the description below . Other features and advantages of the 
V1 n pna.n ronslhedes* prion, the drawings, < I the 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0023] FIG. 1 is a block diagram illustrating an operational enviroament for a document 
control system. 

{00241 1 ! b ook drag <tm u usiratiug an example document, control server. 
[0025] Fife. 3 is a. block diagram illustrating workflow in an amhe 1 < system. 
[0026] FIG. 4 is a flow chart illustrating an authentication technique employed by a 
server. 

Op - ** > < ! ' ' - - f t •! i 'i 

$02$ safkn * > niqas employed by £ 

[0029] FIG. 7 is a block diagram illustrating workflow in a document control system 
integrated wi h a documes 1 repository 

6 
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[0030] FIG. 8 is a block diagram iiliKtmbng workflow in a document control system. 

i i 

\mm\ doc !ia uk 3 asb i iocurnorit control sen -> o > m 

>. s * 'G 2. 

|0032.| < \ block Jiagram illustrating example details of the k ve 1 am. FIG 9. 

0033] BG. 11 is a bloc 1 t ating an of&ine < >c« c N> ! i e; > 

o v o ^<mi ^> system 

\mw v i - , J> w < u** iltuatra mg a syr 1 «. iu » 
server. 

10035] FIG. 1.3 is a flow chart illiJStralmg a syncbrooizadon operation as performed by a 
client 

100361 FIG. 14 is a block diagram Mosfta&ig components of a secured document 

1003") K 1 N is i fiov cm rtlllus c formatio technics 

|00381 FIG. 16 is a block diagram illustrating workflow in & document control system, 

|0039] FIG. 1.7 is a flow chart illustrating a document information receiving tcclmipuo 
core v . ( - *- 

|0040l FIG. 1 8 is a block diagram illustrating document securing workflow is the 

docum onuo rveroG 1G 9. 

[0041 ) FIG. 1 9 is a block diagram illustrating server-side access control list evaluation 

oxiarui cv uolscrttotFli V 
[0042 < f ignim iiluatrating online doci nem^ t < s ^ u the 

0043 ;k diagram iUustxating revocation workflow < txm 
control server of FIG. 9. 

00-54 s k cbagraru dlumatuig au i u..ov, m the 
. -c \ - N ^ o" - \ < G < 

[004Si FIG, 23 is a block diagram illustrating a document control, system with multiple 
do> . \ cormoi servers. 

0 » i i > u u » tt\ i \fy -mem » 



DETAILED DESCRIPTION 
[0047] . i i <m ^ ^ ' i v 

v W 0 > s t Is ^ lulk-'M Sn iu o * The 

document control system can operate as a stand-aleac system or as a component of another 

system. The document control system can provide persistent document secondly by 

v m , v.\"t K>d what can bo dofti, m0 no n I na < 

V , Ov , v 1 v. ! V , > < K t l SO ( 0>! 

,u tK IwhIilpi uouU j or H . 

j i o „p xn?\! , ^ mil i 

sermterfa - operating ystem (OS) or soflwas tpplieatk j > >cn« 

» i Ble A document may bo stored ra a portion of a file that 
, i odicated to the document in question, or m a set of 

"< ased herein, the term "peri > i cu og fern 
time to time, asm does not require regular intervals. 

|0848) I ^ ^ ! o> mmmes described can be used ^mm.ao oo \ of 

documents, memdmg, for example, PORTABLE DOCUMENT FORMAT™ (PDF™) 

< u n a format originated bs sdobe Systems 

Bm Soots, California- A PDF™ document is an example of an elecooroe document In a 
rtDmmre-omepersdem document format that, can define an appearance of the eke mm; e 
, . , u t m,> v >n > e 

x - , * ung graphics, animation and sound i< i i 

! momnmmpbivpr (, nn t kxurcut 

!o , i v v i i h ft e i at 

< N , , j of format-* tthtne techmm «. 

i m u a on m> ;m tm vO» \tuwo, 
. sv>> u >i k > uo m n t'i J<t t i ( 

- v o on on both Java and .NET), and can use platform- 

j ^DF™ documents u &< oeumeni con 



wo 24hj5; , !!45?o<> Hn/mtimnmnsj 
[0049] FIG. : is a block diagram Xos'ra mc, an operational cm uonmun for a document 
con irol system. A network 100 provides conummication links between one or more clients 

be any coannnaication network linking capable of communicating using one or 

Hi) t x I x \ 3 >^0?s 

(M \x v-ix v . \ enteprise network, virtue* - ^ ,r\ rvv o> V ,\> 1 \> 

and Oi tin fete et veiie;P 1 10 car lx my machine s! . , . . > - 

eonununlcatmg over the network 100 with a. server 1 20, and the server 120 can be any 
vip<bkoi e>)annvmca.ui i 
v. { < v v ! n Hi G III? can also commuaic are with the emexprise system(s} 

130. 

00SOJ s ) i n(s) 130 can be a storage .system, an i sfc 

^ s,s\-e n\ o s document management as -tern lh ^ , ^ 

tsu v i i ' ^fn Main l >>io i > sn \ t 

mpte, the server^ s i seppon ;V user and 

* « > K l!Cu tl., I„ ^ 

cm provide d< ^ 1 i vhik ig minimally obtrusive, ma\ , 0 ^ <• «\*nJ a 
> f n- • rkns o ^ vr . > a > o\cly. Poj example he screenei * 1 vi, nnpieoe^ <t 
kv , - , i .at provides a sophisticated offline-access rneeharvism, as 

hat allows users to 

,i x ^ * - OV *\ lie online. Thtrs.tk iocommn mtro s st< a can 

; <!,t; :im\ b v -| e o*~ Jr - ^ .> n s operation, making the presence of doera^en; seen; i \ 
k - \ v rn.iv a u e - 

[OOSFf FIG. 2 is a block diagram ilmsnatm > i * 
The document control server 200 can include a server core 210 with configuration and 
5 e i co! !10 ca ocsdnre call 

ia contact the sei v er 200 \i nteraaG er> ices c t pone 
( a . 250 Othtt Ci. mponens ^ th<- s-exv^ A , 
V! ^ , i» , > 2n e ') mt 

^'He configuration cx>mpOi3om 220. TlK'Tneev . N - . 
> r ,Mn,Jl xport- > u' ^ ~ ~ ^ . 
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x K i v Ns.n v. i < c I > 

b e a ■ the n ielht sds 250 (e.g., storing data, anteticating users, etc). 
0052] be configuration orepon at 220 can define an interface to configuration 

jlu*.*, JX»0 t > « i M w UK > e o 

- t fj.muon 1 " c > 
ie(e.g.,a iaT file lead by the server 200), and the ngc etcanb* 
log Ue(&g *tc<tU<\ A Vi i uonu i 

ooalor ss ) sing a standardized interiht <. u •» . <I N ^ 

u\ nd iog4j, i ? 

(0053] The RFC interface provided by the server core 2 1 0 can he used to present a 
• v iients < v ient cm RPO each named method and provide an 
, 'htserxci 200 car i 1 \ \ 

classes that export the server method interface and define the methods that fee & 

* , e^ra^e lv cheats The internal services 240 can he vne-na ! » , * v h ' 
that are used across ail of the methods 250 I hese c 1 ^ > 

dynamics . c k , t,v>o uvtU u s <■ . s 

v > document securer processes, and an access control evaluation and 

crcLt.oK in\asmjcaire. 

[0054] The methods that the server 200 exports to clients may depend on additional 

a ons that are dependent on a backeod krih&traeture of an enterprise 
ament The ex mat service providers 260 can define a set of $t p n jc 
^ \ k v - \> v e cm ie. horns) between the methods 250 aid their execution 
environment Upon initialization, the server 200 can load and initialize the set of service 
w,<vc« new. The external sen ee - ovi( srs 1&. can 

include defcaJt implemeuiatloris and can he added to over time with additional 

, i < s Untdsentee 

provider interfaces. 

005 i 1 ussed he lev i 

service providers are also possible, The f i » of the service providers are given in teams 
- , ov lets implement 1. ese intern 
satfi t I npkmsnted across a wide variety of s em 
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«es systc xjundaries caa be denned "m simple tans to -pro-vide greater 
^ > ^ < ' . < <. ~>vfcnk> 

0056 i i - ide! can be used to sutheratikatf 

context of computer security, authentication is the procedure by which a programmable 

, 1 , \ K O < 1 i v 

omuai^yuiiA.o<u u I Is j. ^ s f >n > 

authentication can be used, and there are many types of events that caa trigger an 

i ! < < uneou n\ ice 

authentication systems and techniques described herein can be used in a document control 

- - , u ?vslar.s. 
[0057] FK 3 is a Mock diagcan u uvaiio* w ^ ' < . A 

client 310 cm be eoimnuaicatively coupled with a broker server 320 via a network 300< 

- eeds to take an ac&on that depcudi. or 1 > v <i 
client 310 caa send a .request 350 to the broker server 320. For example when the client 3 1 0 
}UXn v ^ x , x ieeon v ith respect to a docunK nt 305, the client 310 < > qu< 
350, The request 350 can indicate to the server 320 that an update concerning the currently 
approved aa o < J use in connection wife the action, is expected by the 

client s ini rn n i > ' 

x ^ ~ * s i i os'dcnt in a location local to the client 310; aud the server 

Sl , 1 dtlUS \l U^vj.O i V'Wlv 

u . i , ' c process lor use by the client 310. 

|0O58] Additionally, &e request 350 can represent multiple connnunicatioi I h ;nth« 
cheat 310 and the server 320. The client 310 can first communicate to the serve? 320 thai the 
Hon i quests sd the elien eqoesis to knov> vhetht t caiio to b 

>j nation istobeperlo'uxe iouu u > 

3 , . umeni 305 can be included hx the doenment t s 3 N 

can determine whether user authentication is needed based on the mfomuitlori iderithy>og 
i j in so c , Ts noadassto 

t < ; o tUtvpcofa r . u < > u . 
,\v,\-.,:„;, - > J acceptable authentication . 

*o *~ »*U\ shan <lacoe 
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I at v \ o fum k taiity, the client 310 cm then request a corresponding authentication 
update. 

|0059| The server 320 can be a dedicated authentication broker server, or the server 320 
can provide other es? ucet is well For example, .>v. a^o .'Von v. , ecu \\ romeoi 

<. , m. iHsi'iunl.vra^o^ n i t > 

revo.kiru-: and secumnri can oQeeri.veiv also be server-based operations in that conipklnsn of 

USCV. O ' *K s X T IK v v > s < K s (J 

v u a i n k j >. s ^' > 

[0060] The server 320 cars respond to the icquest 3>0 by obtamum * i -to 

!« v v ^ J me > " O iK i l . v .\ o. - 

>< ftv >N > si e> b} the server 320 or by another server (e,g„ a server in an 

< nlerpri es an). 1 bus authentication components can reside- at the client 310, on the 

on a separate authentication server Authentication can be I andled 
e- } ac 'hat allows the server 320 to be configured to as, an es 
vuietpux < > micron mechanism (e.g., password-based authentication), or ev«a to 
imnlem.ent a custom authemtcatma mechanism thai may be developed i (e.g. a. momeirie 
authentication, or a new smart card system), The authentication service provider interface 
, ,r t , nods tibc srtrvu 320 \i*®> to authenticate- a user* and autheni ai >n 

service providers can be irepiee.ier.ted for Windows and LDAP (Lightweight Directory 

\ v «cs " - a~ henL>\mom and also .for one or more document management systems, 

v Documentary® Login Manager in the Doeurnentam* content 
,, , . - idee by Documentom, inc. of Pieasantoo, California, 

[0061! The authentication process 3 1 5 represents a software program having instructions 

m to perform operations e+Yeimng a n . > *> The 

authentication orooess 3 IS can become a component of the client 310 upon receipt or stand 
atone and communicate with the client 310. The authentication process 31 5 can be a plug-in 
ivtavr \ >lication„ such as the ADOBE Ark' m owdce by 

voe ^ s s v v , San Jose, California The authentic san use an 

i ^ i] a u oo i u » > 
the server 320 (e.g., the document viewing application can include a security handler 
component 31? that communicates with the authentication process 315, such, as described 
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- - < m cuieation process 315 can beac. < 

n v v „ , > i sv \ a >. ^ »au 

Uool » ^ r n f i si r j » < v > < t , t 

OXOl<.\!» s 1 ^ K ^v^^oUmIU )> " S v 

s s \ Ugn-ahic, uid <. * 1 nun .u^s 

v s n ' i <s <. user being awaa v u [ e v iv * 

t procedure to be used for a document, all clients that attempt to 
perform sin. action thai requires (be specified authentication with respect to that document can 
be automatically and transparently updated to be able to authenticate using the newly 

xYOk s > V location procedure can even be changed between sequential 

actions on a document, and thus a new request 350 can result in a ao%\ k j * <. 

3 1 5 being deli vered for the same action to be performed on an already delivered document 
{W6$l The authentication process 3 1 5 can implement an authentic at. ion procedure at the 
ocatio v ? s interfacing md controlling aay local hardware as needed{«4t, a. 

<> *. rure using biometric reading cevd d the aufoentlcatiba 

* hi i. i ") ' K v 1 

information back to the server 320. The authentication process 315 cm implement a wide 

n ^. > d' d n i ) 
aud uo-v depending on the action being attempted. Because du ,» . s.k uen process 

j M o i.red in response to each request, so organization can readily 
, : \:;ixir i xfocudort i codures adding new security features to a document control system 
as needed. 

IW64\ - * v ecu process 3 15 can query a user at the client. 310 for input (e.g., 
x u e^ouccutpi nd sotarr. the encode*: * 

h e», send tbe encoded htpu t> ©dl 

a t3 I ! >v nd<; foe Infomnition to the sej-ver 320). The server 320 can 

i \ « h< * icab m server 

330. - iiwrois mechanism, the client 310 can provide credentials to 

the server 320, > the server 320 can work ' \ a third party authentication system, such as 
L'DA.P or KAidlUS to authenticate the user. Jf.authentiea.tio s su ;essft k thenticatiou 
service provider car- return an authenticated usenmrne. 
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[mm v. don fee sen ci 3 it 1 need sot be able to directly interpret client 

. *, , ■ n n j ,.M«d of tbc client MO jc* rig credentials directly to the server 

! t < , the ( . i\ • 1 to 1 us tt , v ■> 
*/\cr \W<. - s > » u v v 0 s 

11 , tv,H>M>v\ > cc'seMle toto , k 

s v j end; am bereU > the ser 

320. e receipt to the an* v tos 

• s v SS! ! j ua or Tons, fee client 310 can provide credentials to a 

s crs ' ev 1 uk \ en pa Kk i <- 
b« cs erift the u er s identic w tb le 

•an &TLO 1 1 << > «> ore authentication processes 315 to the client 3 10 S as 
needed, using the interface described below. Such authentication processes) 31.5 caa be 

v . .a n;ei\ o u\ Mcr * V.O and spoofing can be prevented, such as described below 
in connection wife secure code library loading. The cheat 3 10 can also have one er snore 
s s > >le, such as theto 4 ! a thai oas 

pt r/i >rd <: omry Naeb defeat ac.s 1 1 > oeuH 

f , 1 i m . < » > *s J > • >i ! 1 

inibrmaoon wbhrn auovn: .wtovn * \ ; a to . Moreover, the client 3 1 0 can otouu 

i o tha user need not logon e perform ai 

operation. An example of such retaining of client credentials to support offline access is 

0 • tier with i Kb V i\ 

|8067] Secure code library loading can be hnpleniented to all the servexfs) 320 to push 

1 s 0 g l)LUji\J^v oii> h ' I 

provide updafe or; ;stoo darts on an ictios r kn ^ v> n lu >ari 

»>kC on UK* 

client ^ by a Trouar horse program). A mechanism can be provided to verify the 
^ « s * , _ u - tonaries downiookd Kern t t 

my to the client, the serve; . cane ash of fee 

1 > id «. V \ , Al " S ^ O - U 

xs ^ , ^> ^< i _ ! i 05 Js > > O 

lent a n e fee aufeendcationiib i i < g a bashed 
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the authentication library and verifying it against the retained value at bad Urate. 

XJL , O , * , 'IV iv. x. -xl i i J "> T * " s 

Vs.'dV K'H ' . K >miv \ "> . 1 X H I «. 1 

I t I \ I * dt 1 ) » . t \ >■ 

, k v . e ^ u,u: 

[0068] FIG. 4 is a flow chart illustrating m authentication technique employed by a 
er ^ request on with respect a docamei 

i i' '^u o) «■> xessissent 

to the client, at 420, for use in identifying a current user and controlling the actios* with, 
respect to h ct v lot out h > w t < * u . - oe-nmsions 

•> * utethMth v'kca-otuc document rims h s hemication .meeha a 
e<sn be spe x, Ox x sx \ cr an*, t < aoptopnan c ^a. . k i w< x 1 • the ehem 
dtynaa y, as seeds sa ner that is transparent to the client. 
[0069] v > u^face can provide either a text-base ? me-pass\ >x 

. >- -u or a i-inglo authentication library. This car be -5 
rootbods tor aatiuintieatioo. The first method can take an opaque token (e.g., an uninterpreted 
o * x\>^ 5 usemame, although the imp eiitattc x xx tb 

1 j ) t ! 1 u 0 ' n » 

x ~. x 0 n or * corneet sixmg" if desired. The authentication provider can 
implement its owe defense against brute force attacks, and can have the option to deny 

\ c , 1 >v on .0 credentials are presented. 
|O070| Implementations can also return an authentication reply that specifies whether the 
- x x . > nn entscated (verified). If verified is false, an additional error message 

Mitt eunedte.g nosuchu&ef! * * 

ut but tan just be logged on the server (so as not to provide the 
client with helpful information that could be used to crack the authentication system). A 

can ignore this. The user-name should also be returned tin verified atte at . 

; xj enticated rhe access con ho e provide 

s usemame an 1 cali sit > 2 * 0 ! ^ 

sx iJ, .-idx .e-'-oo'-ki >«.;,, xind the dofin x i x ejnouu\ 
in the system can vary with implementation, 
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[0071 1 Because the client can authenticate via multiple methods, the server should be able 
to describe how too cheat should attempt to authenticate by default, or if authsatieaiioB failed 
whatm > * > » - i s« » s xk t > 

autlmntica ouidoeeu; via a specific code library or via. a basi ext entry dialog 

. it a code library is to be used, the server can ooramumcate 
metadata about the code library to the client (e.g., a DLL's name, size, etc.). If a basic text 

vo v. ms>peuf\ wnat lh- < s 
title should say "Please enter your company j. DAP pat.su on « <<. ^ <. ^ 

»st.xs <J » required. 

$072] ! > 

control systems and techniques can be provided. These cm be combined with the desenbed 
authentication ox used separately. 

[0073] FIG. 5 is a block diagram hhistrntrng workflow in a document, control system. A 
.client 310 can be comnmnieativdty coupled with a permission wr r t v * '< s< , 
network 500. A document source 530 can also be communicatively coupled with die 
pemdsaioTis-broker server 520 via the network 500, The document source 530 can be a 
<. vUCK i i i ' >. s 1 ^c oi a tile \>su.r K 

document H.molmr, system (e.g., an email system). In general, the document source 530 can 
be considered one of two types: (1) a document source where a document 540 should be 
o ^ k ,vj< e .\die fu a c <uk t-><-id> ci \me where & 

fcta? ^cd and ,k s 

may be in practice). 

|0074] When, the document source 530 is of die first type, document-permissions 
information ■ ° ' v v . • on .,\i i the document source 530 and sent to the permissions- 
in <, , est. i mi pcimi-ssions i 

he retains i at the > 5 ussions-bmker server 520 (although such information can be retained 
s u. ft litior tbrmat specified for the server 520), When the 
■ v\ ' ^ o . > 1 n v. cud type, the docmuesit-pernii on 
genei it e d< men sree 53 'Mr permissiorrs-brc I c < 

ument 540 is sec? dtot seems omen* 54 sad&sc ua 
5 ermiss I n lot 550 can I i it the pern ssions-brol s? > The 

t j i s < $ K u U! u n > l 
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<• ? x t t - m C*. v< l M>M 
n ♦ >< T ! 5 HU trill tl U 

QtJ v & - \<5 t rMi^KlO! ^OU:(5 Uted f 

[0075] The secured document 545 caa be encrypted using au encryption key generated by 
the per* »s m b oka serve i and the second document 545 can Include information 
rver520a» i neni 545 (e.g., a link fo ik serve 20 and £ 

; . . uv.'M(h n the cone \ i v x 

do ' i * ? <_ Oi <. 1 i 

j x n i ed o a otupK 

fa sect * d document to g., an attachment to an email forwarded from another 

source). 

[0076| When fee client 5 10 needs to take an action with respect to the secured document 
545, the client 510 can determine that the document 545 is secured, extract he hdonnaiion 
v v. r >2< > and die ifo i ^or\ cr Vt 

r u u< ( » K H 0 ) K 

tothismpr^ » 01 > N u Uk doeamutt ierm:svons 

information 550 into second document-permissions iidbnnation 555. Xhe Second doeurnent- 
^55 can be sent to the client 510 to govern the action with respect to 
» v < , e» <. < *>h iVc cheat c l 0 can be a document viewing application, 
such as die ADOB E ACROBAT® software provided by Adobe Systems Incorporated of Sao 

>so, Ca a, i \ loou en 545 can be a PDF™ doenment 
|0077| FI.0 . 6 is a flow chart Mustrsting a document control tcchniq oe employed by a 

\ -equest from a c cot to dee n ictien ? i 
s v , v MtooO In response to the request, first doenmenO 

^ ,\ . ^ \cr\ at on associated wife the , < 

x s ^vi >>e m u Dot permission^ cO$ nu v * . The 

- \ ttaa&sions informattonfe translate < c • document- 
i ( i i ?e secern 

o is, &C5 1 to the client to gow h > > i k tl 

electronic document at the client at 630, 
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[80781 Referring again to FIG. 5,ffeefirsi docuiiie«t-f^m)idSu^^ rrfor matioe 55 cai x 
m a first pessmmoas-deiBnitioa format that includes at least one type of permission 

! t i U U s i t J st s 

o v. uneoi- pormi^su ns tnfotmatton 555, and U e i ! ? * > s 
^ cer. ;n v c translating based upon actional information associated 
with the request 515. For example, the first infomiatkm 550 can include time-dependent 
permission hfibrnunion .that oarmoi be Mfy defined mthe second uuoonation 5» because 
the psmiissions-detimtion format includes no notion of time. Bnt tins time-dependent 

< < can be d« fined in the second document-permissions : i ■ fat mation. 555 
< > ^ tj , quv t b> uuang f e mu < i 

to t pen oas matron 550 in cosj s 
h s < - < { »V t equated action is anthemed, then this can be 

, , . - s \ kU ot. v } k o <- >it niiion \>e, .e ! ! > v >v * > U'^ 
docqmeat-pemus&tons infonnaiio.n 550, in conjunction with, the time of the request 515, 
>J - w . > a ^ x > \ < n c se<muc 

! , v .ions wferroatum 555. When a subsequent action is requested, the 

e a \ < ^ u\ v ' < • n *ho time of the subsequen t request 

(0079} As another example, the first information 550 can include user-dependent 
permissions information that cannot be fuiiy defined in the second doenuient-peratisslons 
> <>n teesn 

-e? \ - - J -mutton can include both user and group-based document 

<\r . -? - v-etined m the second document-permissions information 555 
m > mrposesof&ecan-ent request bj aking into consideration use i s i 
r>o . on ecd - e n . b„ \ 7 > . t> > .rfron nwevtmo can he obtained 

s mqaes described <J 

! v. < n s i n t ! i on xwK 

obtamed ev" Kkrebkmme -mhnuatiom Moreover, the muttipje requests received by the 
■* >n rsooes < ^ ^ -O- cu\ .sev ih :i > *<< t<> «m Uioj ding u 

the actions i < * d i 

v » v . > u 4 also with a nehvort res i f > i ! < 

-,e;e^ u> viaiu: wuLUv imot -eJ5 ...reported b> the cbema-d ^ >< 
server). Requested actions can also be cons i k a o s kt x . ! v. i , s 



wo mmmw) pcnvsnmmsmi 
525 can be used by fee server 520 to generate an audit of stored ac6«BS-tekea deformation 
.w, „ o *\ A x A i c ^ a\ m v. v J „ thv s mfon> I t , v t tor rTA 

can also >na performed at* guested at , < vt x * 

} e foimcd <»tth * > ^ *r tw management system 
include this hxi oi « 
v «nS0| v v slock diagram ill ustrai > % nmx < ystes 

o s gra <s t ^ 

secure documents m fee repository 700 in a batch mode (e.g., when foe server 730 is first 
installed) and - step it xmtent man man sfe < v - workflow A securing 
' v.m .v'avU'^kn.o'-yai "\ 1 h > \ c ?c>u n a> 700. A doeuaa'm , c- ' c 
asobi < js d to fee server 730. The document identifier 15 can be used 

om^na! v b\ r- v«.r ' *0 io control actions with respect to tb.e content Iftherepositojy700 

ci 73 N esm sv the document menu < 
* d > . Astern, tlie document, identifier 715 can be the IJR1- 

(Universal Resource Locator) of the document. 

I'OOfJl ] The server 730 can communicate with the repository 700 using; the document 
vr i n i oon^ v h * ^ ! ^>m< 

filene salons information from a. file system). The doeumeid-pcHmsskms s as i - 
can y , ? jo >hc o » mneni ~ % 0 or can deilt e permissions for multiple documents (e.g-, a 
d by a document management system, or a set of file penmsstaos maintained 
obtained dootanent-permiss i 
v w » •* > \ * i doorKffl \r A set of data 750 feat can 

. icd \ i ACL, foe document identifier 7 [ 5, and a key generated by the server 730, 
, t} v , v , d em 720. The client 720 can use the set of data 750 to 

creak? a secured document 760, which is an encrypted version of foe document 710, This 
<c.\u - nt 760 can include the initial ACL, the document identifier 71 5. and the key 

packaged as part of the document 760, 

0087 , - i > 'urn * rth w&pect to the secured document 76= ; f e.g. : 

, v v. - u j ' i ^.ujiMi/'bndd ! l v. on > f - 

k ume t sent fc the server 730 and used s obtain he current 
v j * , ski 7. m nil 'L^vu^u 

n the repository f s > takea wife resps \ eat can he 



19 



wo nmnusim ?cmmKmmx$j 
onlro \ >ase( i document-perrn iSions fo s Uiox de a 5g< irreat peonissioxxs i 

, H ^ tn it v^i ' »i t.vuuii ^ ,n , » 
i i v ■> u the original do c 
nat start: dixuemen^ermLssions information, as das information can be retrieved train the 
repository 700 and translated whenever access to the document W >i , sled dfeough the 
server 730 may store fee document-passions information for otter purposes, 
|'00831 FIG. 8 is a block diagram ihVu » > m ' s * 

v - : .> ^ ! ! » 1 t.i s >t ^ s f m x phi I ^)ui ^v^t,, 

yxU s Jta ax SR. to an email. Whci . e.cc ^.^o \c«n an 

x e ^ , , icnt 800 can prompt the user for tire rules they wish to 

applytothea » • - : or the rules can he generated mtoniaticaUy based on a 
recipi t{ ? bt ',\ v mail The rules can be converted into an ACL 830 at a securing client 
820 and sent to a permissions-broker server 840. The server 840 can store the ACL and 

- „er as described, above. This data 850 can he used to create a secure 
v>x n . Ci>i> h\vi leuufiet vvhichmay be generated a mc o ; 
vis.. ^ a ace. n . ^ac, en e M'tn^ 

[0084] When a client attempts an action v, ttb esoee t ;> > ite so uj u$ tio s > 

n v 1 doenment 860 or any copies of this document), the document identifier 

can be ret s v from > c document, smt to fee server 840 and used to obtain the current ACL 
tot ;k i - ^hete the current ACL rejects the ere it eta tneniA 
stored in the server 840, The sender of the email can interact re t h .he ?u» e? 84, o change 
the ,-arsv a' \C1 C r the document 860, even after the email has been sent, Thus > actions 
Vs s ■ a a i ^ is. <u* t situ 1 s) < 

en after ti dt viuireni has Ken c st ihutet 

[008 s ? C\ ° \ << \ ' Xv.-<., i a, > <. i „ S x ^, • > XOi 

v s ; context of the server described in co PIG 2 a 

i k an be implemented. *h«.rt i 

j ^< s v, vv ai i piK >a i 
j Hiia Lk * n, sj -> . 

ic hi rethods used by fee server to man h k - < <« > 
a < t > f v asui actvsjs red silo -V-ve^ ,.0-e x> ^ \ to re^'Ov.? t«n re 
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implead nied tot various systems, such as NIS (Network Information Service), l,DAP f and an. 
„>u s s \ i , , > t ± is a public software program primarily mrmmg on 

l\1Xm,V! es «. rteroe nadm; so Mot, wxnxsmes^ j tuo'uu 
ansa; tredAC Gem, one ACL to be shared 1 x >.-e * » »u ' 

MKrt-c V 1 s ri to as policies). 

[0085| FIG. 9 is a block diagram illustrating <a documest * 

to i v. example of PIG. 2. The server 900 can support a variety of basic features, mohiding: 
t - . < - ocontn.n who can access i a <. > - dob 

i i r n ~ fee ability to evoke a document so thai it cars no longer- be 

" e^.d , w i i J wdidih miuuils Hi miit ospco^ 1 - > Ga m 
after which the document cannot be viewed; (4) Document Shredding - the ability to make a 
doe;rmem unrecoverable with respect to fee document control server upon the document's 

\> document decryption key; (5) Am ility to audit 

UtOl S \ ( > * 3 * MkVIS 1 i 

Access the ability to access a document when offline. In addition, features can. be easily 
added wdhom changing the arcGteeUire. 

[00871 Ah authentication service provider 910 can be hnpiernc i < 
elsewhere herein, and an access control service provider 930 can effect the access centred 
■nfrasttnciiire describee!. ACLs can include a set of Access Control Entri es (ACBs) and a set 
of properties, ALL properties can apply tothe ACL as a wiioie (e.g., exph i date). , 
ACE can in an mc1a.de a list of principals, a rule, and a validity 

xr~m< » e U ; "Hhcn an AC I >s evaluated, only ACEs feat are within their validity 
oeveoo.o v • n m <- d. Validity periods can allow different users and groups to be granted 

ffcre t ime For example m.ACi can specify that 
"only members of the picnic relations staff may view a document before its release dam after 

1 v ! XT 

0088 \ m ^ xl 03 properties atid grained and denied no 

-x-r.- v a m so, u to a viewing client application v e : lb s> 1 , > 
sh\ Lrined. Addit-on.iliy s penn \ } \ t xMemro 

3 , s t s G \t n m 
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} I'he serve,' n have iis 0% simplemecfeariisiBthat; < spt 
- - ,v a Securing Client interfaces nl o if * < 

internal ACL formal used by the server 900. The server 900 ears integrate with other systems* 
u\e^ > o a. Document Managaneiit Systems. DaU^v ^ k 

> ■ ^ ' > i , \„,1'\,, liilsV-. *l s 

* > c atformaoori, and fixe server 5)00 can be enabled to effideailv 

ccessl i oiii a canonical lisei-eentric matines A - , 

ob both the server 5)00 and a client 980 can be provided I ei " aiva \CJ 
, f MieannKV i» soured, c i - u 

securer 960 or a elienkbased document securer 990. ACLs an b rie aad c xs 

. < ^ Moreover, securing of documerb ^ v » ^ 

fashion, collected to the server 900, because the server can verify ACLs. 
OOHj v v ' N r mi - ! ' x * s 0 i a i i < i o \o* > v \ 
.. , * , - m0 groupsi have which permissions for a document, A principal can 

have multiple nam.es; however, a principal should also have a distinguished canonical name. 
One of the tasks of the server 900 can be translating the various names of a principal into its 
canonical name. While both permissions and properties ear describe authorised operations, 
v v < ok i s < Seed and properties can be of a variety of types. Permissions 
can be grantee if explicitly granted and not explicitly denied; undeclared i> - i can be 
implicitly denied. 

[0092] Each document can be associated with a single ACL. fypie dl> this t t lath msfeip 
can he A A bat in the case of policies this relationship can be N:A where mehiple t is <o 
. , vv ! % i ncnUdc can contain an uapmtahle snapshot of the 

V v - securing. The server 900 can also maintain a copy of the latest 

vnnxhfeti by authorised individuals. The server 90* 
^ , , i nieipai xnuneb to their canonical fenoird be. ■ 

^ ! i. i i 

i igad) Once ACLs are in canonical form, it can he much simpler to 
hhei v s en da. ^ *' a < i t -nun x bership 
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within groups as well, as dsternhnhig relevant authorizations i i sps s • 8c authenticate t >< \ 
i i u ill i 

<W tCSkciiL deeun vV , . . , 1 , > i U 

within &e server 900 directly. The aerver 900 can examine fee ACL, looking for ACBs that 
are currently valid and thai also contain either the aufeenlicated user or a group in which s/he 
is a sienahsr, and then extract the permissions and properties Foe s vet nfostrucl u to 
handle canomcahKaiion within the server 900 can have three tiers. A first tier can be an in- 

i s >K i ! , iii i 

tit >c u*ce acn s un "* \ i 

be the access control serviee -provider 930. 

[00.94f The access control service provider 930 c j » t > odal.es tl 
o<co „ n > vi i on canon ! • op ^ 

also specify whether the canonical > corresponds to a oaiKrnica; group or a , j o. ; > v 
However, the architecture need not assume that a specific principal module will generally 
know all answers, or be able to give a complete answer about a specific non-canonical string. 
To support multiple domains of expertise within the context of user and group repositories,, 
each principal module can publish the domain(s) over which it is the authority. The process of 
* s hh - e ci he implemented within the server 900 directly, can take a non- 
efine it h\ querying modules with authority until one declares 

<i& canonical. 

[0095] Memoes 970 in the server 900 can be authenticated- -user-centric, because a typical 
vo es *be server MOO dUemurang wheT.o 



groap:- but not "wmeh groups comam a speeuicuserr Mereoves mas 

anon i i 1 for*n<* n 1 1 •> i <. n < k 

c > - j > * and atnu^lauonfete^ediary can be employed. 
0 ivi co o non denominator can be assumed for group pro viders A group 

own- ess r^-ed „o be able topi owd $ ! 1 ot ! no > ti > < s ^ vain 
group c a- he lit* jsc hi the utrioi »fl hales. * rouo 
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modules can also provide membership information arpaked fe a group-centric manner, 
which can be an efficient approach given fee implesnenMton of many existing repositories. 

i < < tem, I mple, one server h -roup sen rue sin 

a batch operation on a daily basis, This cm be impleaded is fee server core and can involve 
1 in - unbii i! n 1 (.-n > v 

>s T > ' nw.li v >. <.s tv - mp K un *a 0 o ^ e no- <ie 

yu 1 ^ > these typ« of operations us g tar > s, sys n 
{{Wm K principal can be eifee 1 ! fe > esented as 

strings. Groups can contain principals. Principals can have many alias . xpressioiss thai can 
he evaluated and reduced to a primary canonical form. Users and groups can be of multiple 
* the naiue{£ sub doniafe.com format used in email 
• ?es can be adopted, even if fee document control system integration is not email-! - ed 
\ on * 1 t " tn , '.1 ,v 

, , 5 < it; im ,i 1 } k mil! . 1 > 

integration < avvK \, Seines iexo , 1 s \ un , neal form fos 

n \ s , <. 1^ v in 

, 1 mQi \ m s 

10099] An access control service provider interlace can include principal provider, 

u , v., i * two subtypes: user modules and group modules. The goal of these 

iuxkdcs r * to provide canonical infotmation sad group ? ibers - muaiion k 
5'itKlpal Vv.iMtii I - i i > n nil! < 1 The 

, via 1 t s , raor ed \ alue >s ^>\t n 
- > < %, i id how long the returned result can be considered valid in a 
* cr can have a domain of authority, specified as a set of regular 

^ i o 1 unjp pan idet oaa cm uvrrn Alrjn ^ . .vs<eo,f 

us domain of authority. 

0.100 , t er methods 97 

>mvidet ogbafiy, as there might bemuttip , »m u>>o - I 1 >> 
, v o ,s * *us u nv 1 noep Mo<. ales. From a high level each one can be 
, - ic 1 1 ehv, \ fek.eubackeea s> fe sa bo 
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- n, s x>ssi >1> multiple doiaabs. Moreover, defining different modules as domain and orit 

x x ^ <^ V x g <. \ ^ S\"! < 

[01011 oafiguradosa of the pi c c d-stint eapprop tfe class fds 

Lrihii MiiNf- h v. on vu. . 

connect strings x preferences, as well as >n > ^ xt to coiuignre what 1 authorities 

i " V i , J 3 > x. - v ^( x. S x ' x S 

i i 5 s x ■Asten 

( r »]s>o - - x.! t< v. x»i contain code xx > , umnv of 

principal providers, FIG, 10 is a block diagram illustrating example details of the ses \ er fron » 
FK f i i nu in a m nors each lied h\ CI 

.> i , >x> 'pmfeS The user canst' s sn 

i \ n K \ Ox' T 1 ! U t ' x s 

[(11031 The ACL manager 1010 can also include cross-method code, and as s ACL Service 
Provider Manager 1020 can boa tno< p > < -n . ,u >. k v <x t „ oio^-pervsr) 
caching. Queries to the ACL Service Provider Manager 1020 can firs; resell in cheeking 
vs lethe*" i <- < s L rot ihx, 

ACL Service Provider Manager 1020 ears issue queries to user aod group modules ; 040 and 
s tils'' »tox ige iayei as possi iU < 
e;e< xx! s > an expiratioa associated wi& the canonical s csult 'CvU >x e 

either the storage provider or the principal modules), 

0.104 ! G. 9, a storage sen u . k > interface 

*".iv ^ ' > 1 r the scs^er 900 uses toe o\i n rex c data m 

x an he *c\n se -t su \ ice provider Interfax e s 

t ..ton i at A i > ! i ! 

s > i vu x n !) u > i 

(i) Alloc x x urns tt that is secured on the sen > 

\x ' ui!x] x jdentif x > xx.iti(.?i ^ > 

Saving e - x xx > s s, groups, documents, and heroo server kt 
user alias and group membership data; (5) Auditing oser access and seeiiring; (6) 
\ x - o^ named ACLs or policies; (7) Storage and retrieval of the current 

^ s x < vi meats; (8) Ore anon of hiiiM ACLs for documents. 
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[m 05] The storage provider interface can be. designed to allow multiple irnpiementaiioBS 
across a wide variety of baekeod systems. This eaa be done using a generic relational 
database immemeoiatbrs, -Much can work with both ODBC and JDBC In addition, fee 
< - . <. -.uuo t u>pot t | on . u « \ 
tft < , lt i ! > kvS v ,emUo' t«r v 

smikhiforvvaxd. For example, this can be implemented by having ari integer m the database 
i * t eser aiion Document j tk bed i ! i 

p -> \ uv' «a<. o run am is s tmoeoen 
associated with a given ticket has been revoked. The storage provider can also store and 
sttk vhich can be arbitrary hytr arrays, by name. 

|0106] The storage provider can also provide storage tor asei alias and group membership 
data. Alias and membership information can bo used to evaluate access control hats; the 
storage oro\ Ider 920 car. be used as a cache to help ensure- reasonable performance even if the 
access control service provider 930 is not capable of providing efficient access to this 

■or example, in fee urn-ting case, fee access control information might corse 
,n provide fee required data. When caching 5 . umatio 
the storage provider can perform retrieval queries based upon a principal, much like user and 

h< data returned should be of fee same format, also providing at) 
adiea! 1 lidh Fhe goal crate such feat when the server uses user alias or greup 
membership data, fee server should not distinguish whether the dam provided is real - time or a 
cached version. 

[01 07] For a gi ven user or group, the canonical name of the user or group can be 
obtained. For a user, all of fee groups to which this user belongs can be obtained. Changes to 
s hie Changes to fee group membership cache may be more 
^ ^ \_ v s loMrts computation (group mmbers > § ip 1 - 

o s p, < \ group content changes may not be immediaidy visible if 
w p lit 1 mive closure of groups. 
(0108 N tm ring peraii sanddocamei iccess attempts (wl 

o . u , » m th ni-o the 11 ,« \> < > > m t! n 

•><. rmg dKw^^t-'s n Lvc m a s>> dehria >. 
sonpie of query methods on fee audit history- ouerying by document ticket and by user. The 
storage provider can also implement methods that allow ACL creation and modification. 
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These methods can be used to keep auditing history information. Multiple implementations 

relational database and/or using existing document management system notions of audit logs 

tnnf s audit trail objceisb 
1010.9] The storage provider 920 can store and re! neve \t % -v 

private ACL (e .j;:.., 1 •> a. particular user) or a public ACL. Public ACLs t N J pol.iei.es that 
a?c !inn\\e -o be sAartd aoiossniulnp i> ^ .m' s > ^ v 

ror* unn.eno no \vl c^r >w outre, oUonwmv e 

' ' ! » 1 > i a ~n »o simply take ACLs as arguments and return ACLs 

s III t S > , * v < A -, v A, 

[0110| The storage provider can have a set of methods to create, annate, delete, and 
< r v s " iv n vv s * i e 5 

e v m dsn v methods to associate a stored V ) v> ith a go. .o 
i; no tv v d '\ in. iJi% a given document with, an ACL,, ticket 
data can also be stored. This ticket data can be specific to a particular document and can be 

! i H 1 i d i 1 O < > v i 

a ell as wi t principal secured the document. An ACL shared amongst documents can also 
le ot securing oi a> the person who secured ids document 
si - he used by the securing client to provic e unornn t v 
to the service provider; Lor example, in a Docrimentum* system integration 11 < I ckeJ lat s 
v. - > v .on . i „h' CI TD tor the somce document The service provider 

information can also be a byte sequence received from the service r > t igaseU 
nanuvVab ton. nopriai inibmuuional aspects of the document 

corre pondira to the sen ce >rovid.er. 

0111 hi addition u» ! * s to retrieve ACLs by their name, the server can also 
specific documeat. When retrieving t > > < > v 
dv ! | xwidesahint allowius s opt nixed 

( ; > 5 m h I rel i J 

10112] When creating and storing an ACL, there is also the opportunity to pass through 
v. I > m "1 ^ <. i i tlc<-cu s v.*n 1 r. a 

jn 0\ \ in m la , \ >, i <. 
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h ss i )u U | ! >Mt> U\ l„0O^ V.vO'SO * 

\ v. > U5 \<. ^ l"CH i«v v i 

(0:1 1 3] The storage providers need not interpret. ACLs . The storage provider can simply 
store and r us terpretation o vlt s 1 

created it can be given an initial ACL, which can be stored in the document and used for 
< h s \» T h ' i ] 1 * - ' The 

nera r c rte no^ u\ c methods by which in?, .m\ s a , •> ^ 

back to the ses uriagor s lew ag components of the server In general there can be two m tin 
vi\s v » e , v ^ v u scv rvi does not havs my separate identity outside of tin? 
o< an o < s o ne^on-a sauna <_ k eeoshave 

an c.,eo < r> N oent control system m g , T he , s e - ; , in u , 

lot raei aside a Ekwamentum* repositor> 

be able to dvnaaiieaily control access to the content in terms of the current rules the 
repository aorTice io the object from which the content was derived. Moreover, once i ACL 
i v nodi tied by the owner, or by asys 1 case o 

policy. 

[01 14] Both the initial and the entreat ACL can be generated by the storage service 
>r-v < < !■ o eeoss control tor the content can be mediated in tcrnn * s u e.^ceno en 
v v. hoc" Oihoi w u>e, the management of the content may be precisely the same, 

\K li Tee ... v.n> or*Knc caae. In addition, a Boolean supporisPro vide 
i ot - sent can use to %o what serviee(s) are supported by the service provider, 

mc t us ive an xpectaiion of which service provider it can use, aad'caa 

^ - < ,j.t method if this service is actually supported by this 

u !i ^ v - • i< v tin < t 1 i ' 

be legally included in the service provider hi n t u * the defect, data). If 

is true for some semes th ntet ;e should, be 

itnplemented. Tims, a customer could use the same server both to protect content in a 

s - ^n e pmh'ct email attachments. 

HmS ' 0 can also include a cryptography cornp < a have 

i e> i - u uKvAnu .'id. n n v> .aV, 

(e.g., i w V i > >. 1 j .-n v c\ i t 

s « ex ryptogra > s Fh« e togra 
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i p ic c-ohi d general nierfeees allowin ibt rptoeatations I 
changed (e.g„ change key sizes, etc.) as needed, such as to add security futures and/or to 
dd eci entc >rises Addition liy. ih yptograp native 

udard erypiogtaphk c p~ y 5 m opc-nUton* 

[Oil 6 eenptogr^diycornponen 3 >rtk 

ibliowfec. prinntives: i syrnmehic euciyptiou and decryption (e.g., 128--bhAh23 (Advanced 
'it v Sta rd) tnd/or 1.28-hit RC4 <£ivest Cipher 4»; (2) public key encryption and 

v k > i024KtR>\) v as i^iti^atio* 

code (MAC) used to provide document integrity (eg., the one-way BMACSHAl hash 
luetic*, n - •> - vut hash auction fox which it is eompidauottally 

* v sages that hash to &e same value (e.g., SHA1); and (5) random 
number generation used to create cryptographic kc] s and intro< era ^ >o messages 

n i ,f o 1 d \ \ M O Ot V 

is ! era class for genu ^ > ' 

trmhemetuatieai). These crwttoesaphy primitives can be implemented in. Java osing hie Java 
rscrie ej^oa CI otvJu sm and in one of the .NET la a : . tlx v 

Sen c ! bat Iii iographv inter! a itograpi 

,honkl als > R used on the clients, as both die cheats and the servers in fee 
i a a\ ■ i. s ol s;\--,iora can secure and. access documents using li e < 
techniques. The cryptography interface can also be implemented, in C++ for any 

si i ( ! » > U s. > inK- 

[0117] FIG. 1 1 is a block diagram illustrating an offline document access model as can he 

a < tmmt control system. A client 1 1 10 can be communicatively coupled with a 
document control server 1 120 via a network 1100. The document control server 1 120 can 
<< nodeis, including a lease nv. .i \ a <. - ■ . n 
« v s - v t nis»t be online the first time a document is accessed and cars 

subsequently access the document offline for a specified period of time, i.e., the lease period. 

) t control set ver 1 1 20 can provide an initial access model where die 
e* 1 s cameo* is accessed for the first time Vsusedheren the term 
10 can communicate v < sat 11 10 

is connected with the network 1 100, and the server 1 120 is operational, whan the client t 
is online 
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fOIlS] In general, the client 1 1 10 and fee document control server 1120 periodically 
i > ! s a -a l 1 i ? c m ! j sts 

s n ^i'dutw\;n ut u > v 

with respect to secured dociunents that have yet to be acceded >\ Ode x x - u r r>l 1 ^ 
,u . ^ert document^,..! i 

, t i i 1 110 can send a request 1 , • > > s < 

1 120. The request 1130 can he tor m update to it*. otJ it k t *• v* » v o ,\ n > 
;in agent can he -< vided v< ith the client 1 1 1.0 thai periodically connects to the server 1 120 
and dovdo >* * ^formation; this svn s u> operation, can happen silently 

viuhcVv i i v v x\A 1 110 being aware < 

M^pcr. a vlocuneni. the downloaded offiint ! v 

by the client >^ ksk v,e- ieohlme 

10119] The request 1 1 30 can be any type of request sent to the server l 2 pm< ( ! 

> s • ^ . ^hent 1 110 to take an action with respect to a document 1135, 

s v ed si iheeii.cn wh< droayl ecured document or not 

The server M \>vu^ . cud iu at uu • an- > ^ ■ u die client 1 1 10 in connection with the 
equ s cation of a tut m d-usej ca u c s ool $ >f i .no 

, v ,k,nn tcr\u LiOuiKdsc i so noser! beu 

above, an i ' a don operation ca o > iv . >perations thai use 

\ « v) s < . s ~ " v i v oxa attempts to access or secure a docnaiont while online), 
x i , x m eon occur without prior authentication; the server 1 1 20 can 

i < u uMug the user's public key so that only the user cm 
f „ access ^formation car tx < ^ 
« v . . ns i pen a document, th< tabed iforamtio ;an >e \ cryptet 

< I St. ( v i - u > ! t 

|0:( 20J When the client 1 1 1 0 synehronk.es wi ih the serra 1120 il le sc 

j > n 1 140 neb includes a key 1145 associated with a group of users 
o whit v. — selongs a picture of a key is used symbolically in the figures to 
represent < ^ < \ i - I >^ < . < t - . - <c k >a s^„^crd 
eleca ' vdv ho ■> <. > Svitu-vt ^ n^uolKCatront 

document. 1150. The electronic documssit II 50 cm u ds ow't. v , . 
1155, and the electronic document 1150 can include the key 1.155 encrypted with the key 
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3.145. Alternatively, there nan be one or more levels of indirection in this key encryption 
relationship. For example, the key 1 145 can he used to decrypt the key 1155, which can be 
used to decrypt another key that is then used to decrypt the content of the document 1 1 50, 
i re* o sk i i- v\< o o e - n \iA 

s i oup of uses s , eaa be used to access the secured electronic. 
a oil ne by detrvpnno a second ke\ 11-5 rt the electro ut doeumt t 
1 150. Additionally, the offline access iniomiatioo 1140 can include other group-specific 
■e> « ore use | ifie-1 at Vast one set of document-permissions information 
associated with multiple doeirments (e,g. ? a policy as described above}, and a document 
revocation I t 

(0521] ' c-Vv » ^ [ icr£tiioncan<'xfc>f mvolvcn^e J.ern U v f 

server 1 120 an offline audi t log 1 1 60 of operations performed b\ me . . *, v » . 

i penebualh ^\nemon!ze with, the server to upload audit * * ^> 
have bee 1 aid to downh ad the lates * 3 ev ocal ? s < 

> v v v - .o vmptoving ACLs as described above, all new ACLs need not be 

u t \ cioai/ to bunu i < pi linlh <> sx s 

n lie document co r ?> cm can provide a constrained set. of guarantees as to 
.(he freshness of data. The guarantees used can be as folio v 1 I send nrnerU-speeifie 
\CL-a > sp« ,ine- a >erk d of offline validity (e.g., a number hours or nays tor which 
■ !kuv i~v<< V i-^ahd before another synchro < server is need 

t ik c ont may not he viewed offline without synchronizatkm). (2) At 

\ - , v v\ \ anna, and policy updates are synchronized wjlbthc cheat 
Thus, a v v\ * t i > s j ! ' > i f t «. i 

with respect to a particular document. Mntesa, t ^ f 

\e b ument being accessed while online, 

JH22 \ ! N! i i > i > , 

server. A request is received at 1 200. in response to the request;, the server determines if an 
x eoh t N 4 sample the em m compare tin if nt 
synchromzatlon with a time of last change m user-group information tor die user, or the 
so" 1 -* o c i v ratv > ! rr>t ' in j h ^ u _t ana ^ 

v < O! i v ^ ( k\ J ! ! 
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re mm is 6 gro p keys a J the sen ercan respond based on whether any changes to fee 

{0123] . ^ 1 Ok i t HlMlHtk vts iX'Oll ' * 1 

can involve the server sending the client a list of the keys to remove arid the keys to add 

! < t sded, the &ervtt sends a validation of the caned user-group 

information at 1230. This indicates to the client that current offline access information is 
valid, and . a server are sj^ndhroniKed as of the current tin 
She server sends the t « v^.a «&} nuka '^Oo revalidates the client 
\ v > s< -vet <.<malso send a bcn-er-refercTo t - - v i< - ecorded a? 

k-tniuinjt whei:u> client semn svue a m ^ ^ 
ruturc. Finally, the server receives an offline audit tog from die client at 1240, Thus, the 
server can generate audits, as described above, that include information relating to actions 
u'e offline. 
dlC o>vi dui ! 
client. O . ^ vi> maiion, including a first key, is received, and an ofihneaudit og 
s „ ! < 1 l ant retains 

<< . ^S'c mo ■ r i 1 i u<] w f t ^ v , . \ ! n$s>on 

v c t < "v v. 'i 'oe in a secare manner, s-s, .or can rot 

. h mfomiation. 

(01 25] Security may be provided by encrypting the files with a cryptographic key stored 

- ^ v n Ji as a smarteard or an enUH\ i •> . > > , 

that ship with some laptops provided by lutein a < • a' . - >v ' i ., >o ^ orporation of 

\ <v I S ! 1 s 1 > ' 

v \ i son So provide soon, on :\ 'iu s 

, 5 , v k v „ ov \ kv o.a i oui rA^x, undated ACLs for 

v and security data for documents the client has a ssed wink me, 
s'\- ^ , , ,e ^\>a;$ons pedbnned fey the client whale offline. 

(0;! 26] A request to access a document is received when the client is not connected to the 

* A check is made to determine if a recent server synchronization has 
oecarreo . aeeuaon 1 340, For oaarnple, the eiieot . check vfeahea a difference between a 
current time and a receipt t ime of the offline access information exceeds a server- 
synelrronizat.5«n-feq\isney parameter. The server-synclu-oxiization^&eqnencypanuxieter can 
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he specific to the document to he apcmed. Moreover, dot* raii u im i c 

i sons between the is nov ^ cl on j i in ok I 1 

clock. 

10127] li ; *yuchtom at on with Ik. servei has no, occurred recent!} emm > 

nt 5 1 f } i 1 ! 1 1 v i \ > v. 

the first key is used to decrypt a second key is the document at 1360. Actions with respect to 
die electronic document can be governed based on doc* men > s < 

t 1 * io viiim t v > i\a' tnttw 

r-« . v: <r. >nv ^ c .ds^ckng the docusient-pennissions information from the 
electronic doctimeat itself. Governing actions with respect to the electronic document can 
i : < . < . \ . \ policy relcrcnee in flic ck cttonic doc v 

doounwrewernosnioes mfbrcnaiion retained locally, based on the document policy .reference. 
AJmnon. . , c . r i km, which can record bofti document access and attempted 
k< en; - <e tsamtained at 1380. 

|0128| FIG. 14 is a block diagram illustrating components >, v «\ , su ^ 
Included where the secured document 1400 can he an encrypt dictionary 1 405. The encrypt 
1 i , whb h c i .ho used to k s • 
\l v dcr "sn 50 v m u nt e, port numb i > > 

server to conta when rdine. The encrypt dictionary 1405 ca > - d within the 

^ i j ' • <. ! ' 1 1 _ k "> - docum 

w^n- \ v. , s, l hi encrypt the document content), 
1(11.29] An example encrypt dictionary 14U) includes! document ix sr., o 

< , s c, d h >s v) and cane orinore encrypted dooms eys 1430 
n the content of the document 1400 eat n t d 
nndtipie times asmg croup keys and user keys, and these encrypted document keys 1430 can 

? ■* ! ^ in tivai. 

control server can dynamically generate and maintain user arid group keys tor the user and 
" ^ , , Svt;U} By including the encrypted d. unmix k« 

edoc , i >enalssions Mbxaaatic f i 

supported by providin: >up keys to the client using the 

v v. j i i O-d 
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[0130* Another example encrypt dictionary 1440 includes a document key 1450, m ACL 

v + U v A v 10 ITU i •* 

i edxess keys 490 I'he document key 1450 ea be random 28 s ne> snerate 
! v moused to eneryp Ox ut ( , >u i ^ R< * u 

i ! i J i. ^ ^ , a * 

generated session key, arid a MAC can be used to detect any modification of ids encrypt 

^ v v encrypt sexton A A v.' k dn x s A ^ r ^ 
using the group keys and die user keys. Additionally, the session key con be encrypted with 
the server s poi:dk key. 

[9133 i j er attempts to open a document offline, the client, can deck to see if the 

v m.r in n rvpied 1 1 the j&uAs key or &s 
. esv-r C a member. The client can obtain the user's key and keys for ail 

<■ i ^ ' , i ( - ! r I ! x j ;\ 

, v u> v * * p d-t information in the document's ent ' 

x . < i A x . t ic ACL in the same way ACLs are evaluated on the server to 
ssions the user has. The client's revocation list can be cheeked, and if 
the doenoxsx has not deer; revoked and i not expired, die document can bo opened and the 
use' - . i ted locally. 

|0132 - ; < Hows a user to be offline f enrstd.rs theya* esse 

, a . ,'\t\ui\ co js^^ix the i j . u ! > s, j ! 

embeddet rto Ado , the document AWheu a user attempts to ope? be >cts oeiAA 

v , s A iur.i t u bdher they have access. The document. 1400 can 
still he revoked or expire even though an initial ACL is kepi within the document. Moreover, 
the o* *A o\ ^ .5 oi 1400 maintained elsewhere can be update 

v v 1 > time a& described above, 

oi 33 v document online, the current ACL, which can be stored on 

1 oi a ac i \ i it 

i ) i A client obtain- A \.n< V 

i o) x t document sessio A s i ! x encrypted 

^ni l a ot each v » xe p tha~ can access me document Both the ACL and the 

! i that nut ail > \ en 
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[0134] Moreover, the document permissiaas information 1420 1460 in the doco « c 
a <<_ \ . uit" > )o ,.k, re. ottos: H .ton ; ' \ 

o j v <. <. vi f c < v u v h > 1 ! i ^ - 

, e v ,j ! , Jcmcd locally, ha^ti « uv , ^ 

reference. .As the document control system can guarantee that all policy updates are rdieeted 

> ca^ changi. a pone) 

i i i bounded amour t e n i i I o .r- 

^ . > dmg access to any documents. 

,0i ^51 ! un uus <. >u n 

<. i , wfk < UoJ )' > > *. > - > -> K In 

sit i user accesses a doeum^i from <r>t ■ u\ must be 

online. At that time, they receive an. offline tee, which allows them to view the document 
s\ < i< i» >e >< c the lease must be renewed. Such a. tee model 

can be implement ed he d( cument control system described by embedding an mifiai ACL 

nK mi ii dr>\ lien ih I pv, ttto lo\ 1 u 
ACL can be retained or me client before a new one needs to be fetched front the server. 
\ddc - . . . < \ ■ ^ c in . s system can he configurable to enable a no-oifiiae-aecess 

mode; m which the cscr must be online in order to access a document; o this case, the 'keys 
i\A,\i i v uutm-ed not ever he retained on the client. 
[0136] The document control system can. provide all of Uk to u ^ » o »n on - 

corner i i. < o t to the au t < e^ t»t cheat turn \ f) I «' -< oo \ 

^ < \ i> tar mtecd to he reflected on each client within the 

<. h mcc all policies sec J a *. if even 

j i f vl Modification- A (non-p< has been 

v s s * durri orb, if it is viewed while online Ren tec! os > 
v s k v. i e dropped from, the chen w Jinn the ^ ahd f . s 

w ^ < t omcnt that has been revoked is guaranteed to be unviewabie 

lit he offline valid it c 
\ w to m H r c j nf tbi ii i a suoouueuno nxcanon (4) 

Expiration - A document thai has expired will he unviewabie on the expiration date 

axdless * s ne or offline. (5)E ph u modi fit i 

v v sine hi the AC I , and so expiration modifications are reflected as pet-Policy or ner-ACL 
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modification. (6) User or Group membership modification - If a user's key is revoked (e.g., 
, u s , > om 01 i i ' v li o fuin * , , - < . . « 

thai the user will not be able to view a document that they no longer have access to within the 
offline ,5 ho m n the document 

! 0 137] HO. 1 5 is a flow chart illustrating, a document Information delivery technique 
» ; v v> ' t jui n!0"MI> -pv< I > s >. r ' (. 

1- - - v.* > < d> ' ^ 1 >. hi response to the request, information associated 

< ument is identified ai 1 5 1 0 Fho^> 
mlseak secoj n documei hat is different rorn and assoc tted.wi end 

u < i aosoc ate two or more docis eats and cas 

describe the reMionsMp(s) between mem; this assoo a oi u »» i . . u 

server, such as in a table or a database, Mormation concerning the second electronic 
d . i ^ xn uv..u 152u to facilitate the action to bctaktn 

!. i << t < dms h 

< "'on \> the client to allow selection of one of the first and second 

do it - U > i . ' >. 'w 

' electronic docmnenk and staa i; 'h> od olecuoni'c 
document to the client to allow taking of the action with respect to the second electronic 
v»ou'e <. < < < e^pvct to the first electronic document In c t cumei 

n \ •> i j 1 o ut h 

i a ' ond document. 
(0139 <^ ± diagram illusiratm worldio in a document a i system t 

;vr 1 .,s!ix\ r causat^-th oupKlvnl >Jm"3 p\w ^ ? --' !, vio,s 

. v :-- ; \ f Ik cUcnt 1 < • i 1 can send a request 1 630 to the document control server 1620, 
a en - los-t i( tiv . > an action to be taken with speot a« u 1 1640. Ihe 
v * v * \ matton Id-15. which can be stored locally or elsewhere, that is 

associated wkh she document 1640 and inda a is, a- u • "J > . . 

Mm. .lion aboa the second cOvU rent 16*>< 

and/or the document 1650 itself. 
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P.40j The client 1610 can force a user to view the second document 3 650 based on the 
( mpl he second do iment >^ ah 

document 1640, > , > n m a 1655 can include docoment-pemnsssons infomvahoa 

specifying that the action is net. permitted with respect to the .first document 1040. The first 
! se replaced fidit e secon locum t 165 c opened is place - d\ 

stdo. i uh < vnU* v borage over the first document) by the cfieul 16 1 0, including 
te « the v im» ledge of the use : I he second, document 1050 can. also he a 

>t-> o _ .^iin(t-g,aFiendjM.MOko ai ! £ »,J ^! lOaou 1 tot t"i; 

sc-kv * . - . - > > nenmvit 

1640. 

|014J.| Obtaining the second electronic document 1.650 at the server 1 020 can involve 
»v e-s at * y it least a portion of the second electronic document 1650 (including potentially 
> ev'-xni )50) s or the document 1650 can he a pn sxision 

i s ,< , o* nihon '045 can include user-based as&o< 1 i 
obtaining the doe-uncut 1650 can .involve obtaining the document 1 050 based on the user- 

l mi u n A t nienUfted user at the client 1610. The document- 1650 
uoV( lim >rn*ht ,ur use- the ^e> 1 >ca u <n and or i \ > k v s 

41 can be a stub document that is already nn ■> ' 
s opened, each usei <-«u 
^ s s : s i * v ^ lor that user at the time of the access attempt, i.e., the stab 
vv v and v an be manipulated as a regular document ianop< sien 

« sod wMls online). Customization of the document 1 650 can 
be dons at the server ; 620 or elsewhere. The user can he identified as described above, and 
the doeumen t control system can also employ the systems and tec! mi 

- » pphcafion: the documents 1640, 1650 can be secured documents as 
described above, 

| 0142] < Sow cha? d!as.fcaiing a document Mormation receiving techniqxm 

» lO x VI,! t ' <- it vU \ 

020 v a scenreo document, as described above, that identifies a 
document control server to contact. A document control server kientif : od from 5 - i ated 
> ! , v <owii determine whether the distributed document is 

the app 1 fferenti lated document s al Use of; 
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second document in place of the distributed document is forced at i ?20 } with respect to a 

em action, based 5 serve* 
10143] A document eontrol system can thus address both issues of document security and 

i i f ! <t} W W t ! 1 Mi v , Wi n 

viewed, in place of the distributed, version, this etui be defined and comn ko ; >emn.« it 
a ntro > t indies document security for distributed documents. An author of a 

dolmen s.u a distributed verstnn of adocinne;\ t j v. , ..w, ^ 

v.<.;i < d >:ead Moreover, an audio ><> easi o1 roultip < >ns 

of a doe-wee. I an 1 u se -based definitions of who should view which version. 
|0144] An author or administrator can designate which documents a < » >px p < 
version.* w n k , net s chiding the possibility that two users 1 tirelyt 
documents with different contest aad whidi are different docaracnt versio < sej s< < 
ho \- v dually distributed -document \ e -n t 

dosutnem * , . sled using the document idksi&fiafs generated > counts 

is a vensio n * 1 on voted edges indicate which versions take precedence. Each edge can 
ah - h Ilea e i<> «cb > h users it applies. A graphical user inter ace tin Jis >laying 1 ms ea 
... , i k ps, such as by drag a orations to spec? J 

h v , d d m favor of o&er versions. 

0145 , i , t ( < . a i is > ^ t > 

, v vstera can ensure that eai eron e latest 

nv» ( noben ot -evocation in die document control system can be 

. 1 , e. * h ether a document has been replaced witii another, "inns, upon opening 
, themwersowtat^s in-tir d? editors 

n ( ete ruination can he made as to w hether the . . . should. 

veacew spec s > sf the document TK ^*"> r 'u . i) ^ \ 
o\ ■■ \ »«. ading potentially providing an additional repository 

service where documents that are being. persisteartlyversioned can be stored. 
>014oj [nthecass < ere each us< aiviewa* - rchcanhe 
uv. > ! iu rib s[\c<t> intersecting nseonoop^ ! ! * 

version a i ' 1 - >.«.,. . ' i.r 

executive should see version v where additional version u e ( information specifies 
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that fee executive can open fee subordinate versions A aadB in addition to version C). Rules 

v j" ^ pun tikvi. 

(6147} The systems and techniques described herein can he combined "m a comprehensive 
» S3 stem employing multiple document control servers. Referring again to 
Its iHv. document cviiTxol >en i 1 * reimplement fee v,r v u . u ik- vK m 1 v s 
oioao . \! ' n.- u - . all client-server eommTmicafems can he over 

Secure S As m ncrypts the commtinications and provides server 

} , nag of documents can he done using client-side seeim»g. The 
.... - \ i i >< !• ^ ,i an J. Mi. v s l <> . 

VI s«asitiv« uon in the set s ei * K) can be encn pu < s ^ v i 

.u* v . >. uvtwnon key used for this can be embedded m the server code, .hidden in 

,r aufe'oj contained within a iampei mi eryp iphk 
x> ivi t v'i <. mi ^ i \ v > ! ^n." 

afeaeufeaU< us fej multiple » on am e operations feat require aufeenticatbs. Cached 

v ! s nehide an. expiration date to limit its v Udit> > <■ i m< ean 
* ' t empts to authenticate against fee server 900. 

|0.148l ( n i,' i i i - ^ i , t . , 1 s. 

\ d- « . .ne\ - m com cned from one format to another (e.g., horn Microsoft Word to 
PDl ' etbresc ; the document control system can be integrated with a FDF 7M 
creation service for this purpose. The securer eornponent 960, .990 can be a wrapper around a 
« PDJ m document as iaput as well as an encryption, key aud a set of 

- ci btmatkm to be embedded in tl moment's 
i ran encrypt fee document \v ni Ik roMdu. < 
, \ n\ . - , < mnent. When fee securing .s 

v i can he done in a separate process, i > . » 

, v ^ , s quests can hesimukar 

v I s n be a configuration option :< * i ! 

i <_ i n ox <.(. s ' i 

which raunber can also be a configuration option, or after any unsuccessful securing 
operation, 
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[014*?! IG x v ux iagrami ustraiiag document % i win the 

document control server of FIG. 9. Securing a document can generally involve two high- 
o u j ^ter siak, assocated with se^ui 

(i J « ament and encryptrag it. Preparing stats can be a 

u H it ng hov a doeumcn , u 

and the server, which cau prepare the system tor the secure document. Emhedding 
« « . *> . v ^ r>! seeming can be done either on the server (e.g.. the 

» o a es rr me of securing and then fee encrypted tores 
is returned to fee client), or on. the client (e.g., the client has the cornp< uei 
>u ^ o eat), 

[0150] The stximng client can prepare a speci.fiea.iioo of the desired security for the 
o > - \ V N» an involve end-user interaction in a client, such as an email 

<«> v . c. provided by Microsoft Corporation of Redmond, 

Washington, T he client can connect to the server via the RPC, authenticate, and send 

i er { 1 800) If the system is using server-side securing, the client can 
o *. i ' m f v. n >{ ip v t ><. < 

s lis \ nx-nhaOoo need b 

[0151.1 rhe server ct nne m<u he has tk k i 

w « N - t . \ a mvn on. m provide a ticket (GOJD) foi ! batmen 

The Access Control Last specification can he given to the Access Control Manager so it can 
i > 1 <\, > up i< n-> s r f 

5 u» nwoe ory cache of canonical mappings. The storage provider can he 

queried fb ch< oal mappings (1820). Principal, providers can be queried tor 

i (t s m v The canoniealized ACL can he persisted in tire 

How forsuhstjqu < • < ^ 

[0t5:j I ie rrii i i 1 $ d Ubd 

i ~y-?c- Vo-vj^eProv cu (1835), whicn can create c Joe , ' 
u ont If document shredding is not desired I \ 

, , ! , -O ! IH vt\l pil 1 ) \ I » Ov. , 

ud , ot Ik, cnu pt ) \ s i Ifth 

securing, the encrypted ticket data ftom the Cryptography module 
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cars be m bend* d w ill meat, ana the document key c«a be used to enexypt fee 

b smg client-side securing, tliis is u>1 j s 

P153| The system can audit thai a document was secured (1845). If the system is using 
erver-side securiug hs -sa file cai returned to t Ns - x - 

i iai fee doemneut key ca?i be returned to fee client ( i 

is > ! i cuo securer oa the client ca emb e encrypted 

rctvpt the document nss ' ecus ien; l:e\ on fee a <. S > 
[0154] FIG. : 9 .;s a block diagram illustrating server-aide ACL evaluation workflow in 
the document control server of FIG. 9. When fee server performs an operation that involves 

eacrvpted server control infermation within fee document can be decrypted. (1910), The 
t,c\ t v k > » « formation can be used to retrieve fee most recent document. 

CI < vice provider (1920). The Access? Control \ a" - - i n tu 

i k oemwssions are relevant to fee aofeei ica rheAC! 

s > v to oe< e-mr *e w h?< h p oups 

the authenticated user belongs to (1940). 

|0IS5] FKi 20 k a block diagram illustrating o ne does low in fee 

kvnnu ? observer of FIG. 9. Viewing a document while online can involve two major 
< * i i ..i-iiinwi'iKiii ^, 50th i i <. > 

and fee second phase involves returning fee document key to decryp 

cut is to be viewed online, a viewing application can open a secured 
dor v ognk ha ht document is associated with the control, server (e.g.., fee 

? v ol.ve a security handler in fee viewing client). Using the server RFC, fee 

\ x xct ,Mmt to the server fee encrypted control information within the 

\ ^ v ^ >0) The server can evaluate the -ACL as an operation 

(2010), as described above in cot • 11 % 1 ' ^nensfee 
storage provider can be queried to ensure this document has not been revoked (2020). The 

s icied bom fee control infonnatiou (2030). The server can audit fee 
\ a tent (20*40). The most recent ACL, the rules bar viewing this 
ioeiarn s v unit t key can feen be returned to fee viewing client (2050). 

fpi 0!uri!v.nri th; pun io; s w j > 
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1 atoiu <ft* n jo oi vr andprovid c pi 
sucf.i t he document cars >e viewed) 

[0156] G. 21 is a'biockdiagca 1 i > « n the document 

FIG * The c&cutcaa m& fee encryp d control iafon - s 
(2100). The server can determine whether the authenticate user has permission to revoke 

revoke fee document (2120). The client can receive an acknowledgement (2130). 

|0I5^| A ID Itn ^ U !!C .Ivf'Vlf UK 

v. <. ! 1 > t send die ouer\ u c 

i'x o' . tw cn<- c.~\ duomke whethea be a hontica s< i ermissio o 
c * ? .1$ document (2210), as described above in connection with FIG. 19, 
i i ^ i i urn , ^ ! t u-«»r v, <. 
(2220), The client can then receive and display the audit mtbrmatioa to the user (2230). 
[0158] FIG. 23 is a block diagram illustrating a document control system, with multiple 
doeumsm control servers 2360, The system can use a three tier a. \v to provide 
reliability and scalability. Clients 2310, 2320. 2330 in an application tier 2300 communicate 
us % vnj 2360 in a business logic tier 2350, which communicate 
< { 1 n 1 BMS N a i n s ! 

2370. All server state that is not specific to that particular instance of the server can be stored 

! < j , ipl t s axes can share such state. 

H|M> : - o de document control server instances 2360 are used, requests can be 

o 1 - in a as down, A load balancer 2340 can handle routing of 

rerpees ei far s 2360. Witlnn a server ibek ' > < < * l x x, 

h c code, snob, as Java or a .NI ug In 
order to manage many canonical and non-cane? i O' levels of cache can he 

iun , •> - mm.auor. A server 2360 can have an im-memory cache of canonical 

- „ < > n' ^ quern, i an L . 

control servers can share the secondary cache within the storage provider. 
[0.130] S kred into.! m x.ist within eil 1 : * 

caiiiO, >< n v,v. p ^ \" os • n,,i-.\ in r< -u^i > ^ > piowec 

, . i ! o> \th locally and witlui i th >a> , , 

sbou d be bald vproce^wi such thn t t , m 
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a reasonable amount of time.. One of the document control servers, as a secondary service, 
ca >e designated a master- aid lias h iityc >erfo.nnirsg &< satd iroeessing 

ivn t r s curing tan be done ot ttt 

amd d scoment to and from the server and to reduce the load oh the server. 

Likewise, with client-side securing, the client can also perform the document encryption, 
furthes deoreat ng server load 

016 i recti *> saver replicas to be adds i « 

eniaentscanbetedieredtoaclusternf se^ > v\i\ 
hostname, as described above. DNS (Domain Naming System) tourxd-xobm cr ib< a< de : h 
,i. v' v \ >0' additional hardware to act as document control servers. The servers 
. > <- are scalability concern can be reduced to She standard "one 
i,a.i;v,N - me . \lgcu"thrns regar$ag principal tsmo^smmt cm be deigned to he Off.) 
s and Our) for agireuate operations ) 

O I 0 > t 

, o * < < t ?i , uv i ura oiw. i * x o e 

v \ ,va>nuatmns of diem \ppd arm. o die invention , > ! 'L-.wia.,:. , 

srdovare product (e.g., a computer program product) tangibly embodied lit a machine- 
readable storage device for execution by a. programmable processor: and processing 
o -\ru * w i n van be performed by a programmable processor executing a 

s r tociiot invi io b >pe aiingonmp 

t - he ro cation can be implemented advantageously in one or more 
,<«\*<i „ ^ executable on a programmable system including at least one 

' ii u-nte^e^ aodtotnettoas »on tin v i 
no, a data storage system, at least one input device, and at least one output 
^piogmmea* I K\>^mJst mjeet 

oriented tuogranuuing tartgtnuae. or in assembly or machine language if desired; aod to any 
case, ti aoguage can h< a compiled or unco, <n le p 

ivsy of example, both i i and special purpose soioroproeessors. Generally, a processor 
will receive Instructions and data iron*, a. read-only memory, a random access memory and/or 
a tnaehine-readah.se signal (e.g.. .a digital signal received through a network connection). 
Generally, a computer will include one or more mass storage devices for storing data tiles; 
such devices biehjoa t > x disks, 
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magneto-optical disks, and optical disks, Storage devices suitable for tangibly ^bodying 
■■ .1 data include all forms of sea-volatile memory, including 
. < npie semiconductor memory devices, such as EPllOM (electrically 

i > rrP?u\ !,v erasable program! < < 

s sms, magnetic djsfct. ^uek a~> 

..t >op < u-- , <md CD-ROM disks. Any of the foregoing can be 
-'^ > ^ ' < *h\! n ar<j te«tion spec; ;n neeenc* ^ 

i,J<> i s > ^amidarcrnVsod turnup Onus 

embodiments are within the scope of the following claims. For example, foe operations of 
' ! so no s. pafo med in a different order and still .dtn ^ m , „ , < 
operations can be provided as a hosted service, using a subscription huskies model, ami 

< ( i all > a\ atlab e s\ steu md < street *m ava-'l Ms ox er 

foe internet The document version control techniques can be implemented using peer-to- 

' s 1 xhmoos vIokmv^! ^ t y pennm.ons foi tkK 

- N - ^ cm ktioiw mtix respect to document content given different wxakflcm 

•> ,v v > > ^ .Mo petple re sign a document, or portions of a 

. , <■ , n^ons that control who may fill out and/or view d < ons o 

[0164| Additionally, an alternative to always synchronizing policy updates but not 

- nl a > - voive providing information regard i t e 

system have changed Synchronization operations can then he divided into high and low 
e 1 1 > a- ,,.mm n svnchn.>razatio»s can occur in the background more 

^«v<u rr* , J i <4 wls of when information has changed. For example, an 

mm j o j <^te ^ua?o 5 sa d u < h <. ( x^siasf. 

f oj operations can entail how m&rrnatbn has 

dX\e;, . > ^i! \ , V J ,j i( n , , O S . " X 

tim system sss changed. Synch! , , 

' -> v t, rhau 4 sirairaary of what has changed. If access 

^ man 10- dt cum en > hut ms 

not performed a low priority synchronization, the system can he conservative and an 
mpiement j t ysyuebre dies 
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CLAIMS 

What is claused is: 

1 . A method mr.u\ io_ 

s umMn take an action with \ ^ >« jpi-j 

\ i v^.^n^ k Jk arc nation t! n t stribi u 

electronic do ? i ?sociated information indicating a second electronic document 

- ^huted electronic document; and 
Mat >e_ eoneeimiBg the second elecif do i 
: . vvond electronic document. 

2> th v Jji), 1 ' rein .ceivi in cm *>t .empco s v s ; A 

' s u« t<5kf the action with TV5=pc<r to u < ; 

am. nom < nhi \ rt 111 dxv.mu! s'c aiaui ^\am alt / v iu u 

^soaaied unotmation comprises identifying jissncrm ; .> * s me:e* 
atiix s v w v . u a r « h t \ second document information comprises relating tie second 
document information from the server to the client 

3. The method of claim 2, vybencin relating the second document hifotmatkm 
compnsm sending the second document information to the client to allow the client to obtain 

v , . o N : 

4. oi claim 2, s>> n> \ 
^ i , on* o: a document 

5. >. \ 3 i document 
or-;- so c -e- * ^ sees, ml \, ?sfons of a document. 
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6. The method of claim 2, wherein relating the second document information 
comprises: 

obtaining the second electronic dbcament; and 
i . ix l T c cm 

?. The method of claim 6, wherein the second electronic document comprises a 
later version of she distributed electronic document, ana tde associated in&rruadtm comprises 
aoemnent-perirdssioas reformation specifying that the action is not permitted with respect to 
fee dn;5rxh ! v 

8. The method of claim 7> wherein the document-permissions information 

t the edst muted electronic 

document 

9. The .method of claim 6, wherein the associated information comprises rrser-- 

kj > i vl , U v ^ <. U. O v. vv L' v I) 

> ( i m t? u mp isv ■> i tnt H ug 't^vio t < » > ert based 

i i u>r and. an identified user at the client 

1 0. The method of claim 9, wherein obtaining the second electronic document 
fhnhvr * . j rnog at least a portion of the second electronic document based on the 
nieodded user 

« v » * - - <cm i> ^ herein the distributed and second documents 
x V 1 s ojinc i4 document. 

1 2. The method of claim 6, wherein the distributed electronic document comprises 
m v , , ctomc documeat comprises a later version of the software 

program, and the action comprises moning the software program. 
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i ie aetb >dofc m 2, fm 
accessiag the distributed electronic document at the client; 

identifying an address of She server and t do* ami u identifier in the distributed eke roeo- 
doeameat; 

sen e doeumej dentrfier and. tbe requeued action te the server using the address; 

and 

q»ks.-u <. a iribu d document, at the client with the second document. 

i , \ wherein replacing , s u i ^ ^ t 

t f 1 m second document 

15. The .method of claim 14, vd< > t 

- f i tier, and replacing the distributed document further 
comprises writing over the distributed document with the second document ia a storage 
device. 

\ * omprishig 
* ed distributed document; 

contacting a document control server identified h the distributed 1 < < and 
forcing use of a second document in place of die dtsv t h -pee, to at 

least one document action, based on information received from the document control server 

I ?. The method of claim 1 < further 1 4 * , >n the second document 
based on tbe received information, 

18, The method, of claim 16, wherein the received information comprises the 
second dt sumsnl 

19, The method of claim Id, wherein the second dm no t , < > < 1 a 

i md forcing use comprises tra&sp-u t t tg th 

- r ^ ^ ^ , d opening the second doeument. 
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20, The .method of claim ! 9, wherein forcing use further comprises transparently 
overwriting the distributed document wim the second document 



s| i , 0 M H 5 i > v s > v , U i 

C as , . C * lii >. I 

fhe .method. i 1 re-re ih< Ustributed docu >rap 

v<md doe-uraeul eoinprises & later version of the software program, 
) s t -.otfware ptogram 

\so ^ s t > n i ! v n 

software product comprising instructions operable to cause one or more data processing 
?ol> comprising: 

\\o s * i \ n •> i i i« to <. > i u 

idtatitytag, in response to the request, hribrmation associated with the distributed, 
electronic document, the associated information indicating a second electronic document 
> c cjcd with the distributed electronic document and 

imparting information concerning the second electronic document to force the action to be 
taken with respect to the second electronic document 

. ' claim 23, wherein neu* i 1 reprises 

distributed electronic documen t wherein the distributed electronic document is retained 
t. c -' \:cc: \ lie associated mfomtation. comprise .! > 
> tafoed at the ser sr, and imparting the second document information comprises 

s s xx omthcsetv«.r totheoheut 

25. The software product of cla im 24, wherein relating the second doctnaem 
I n ^ 3 > n , ' i < s > c n to allow <ne 

< 1 »cumen + 
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26. The software product of claim 24, wherein relating the second, document 
ip 

v d cumeni; 

The software product of claim 26 where e I electro 

so i' tht f.sssnia*^ 

mthnnathui eonrorhv ' , r ;cui^ 1 " a , . ; 

M-mht „sp ti< he distributed electronic document at the client. 

s \ tV i Hn. oi t n i i 

« x - wki ^\ .uii 1 ! i-iiui i ndicaimgihefeKi s < oeuroeriu 

and obtai&bg the second electronic document comprises identifying the second electronic 
s i sex -dependent association information and an identified user at the 

client. 

29. The software product of claim 28, wherein. obtaining the second electronic 
docurecjit further comprises generating tit least a portion of the second electronic document 
based on the klenti bed 

I in sol v are product of claim 26, wherein tin ,h J un ted s ^ • \ a document 
*'are program, the second electronic document camp* • > x 

oxou un, and is uos?* oi\ 

^ \*L v .^ui.Vi!X«C(i s uuun mo 

software product comprising instructions operable to cause one or more data processing 
Dos compiismg: 

i moment; 

t i (. nfiedtiomthedisjtribnloddocamo 

^ u , > v > t t mi d>uted document, with respect to at 

s - ! 1 v . a r i . i . io~n t 
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32, The software product of claim 31 , -wherein the operations further comprise 
^ ^ - X'oad document based on the received information 



the second document 

34. The software product of claim 31, wherein the second document comprises a 
distributed document and opening the second document 

i v i <■ i urn + i 1 v 

< < so < sbuted document with the second document 

36, The software product of claim 31, Y>1v;e;t .xoedhro i pdsts 
or spxifying permissions < kudkm vui 

k m document. 

3 ? . The software product of claim 36, wherein, the doenroent-permissioas 
s<> x , \ « iruvot* at a level of granularity sma erihantht stributed 

document. 

s est sroduct of claim 31, wherein the istrib < focuroent coi >ris - 

a software program, the second document comprises a later version of the software program, 
o >n comprises running the software program. 
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; 1 ; s 

- ^ vnxsiioaseiverwhen i m s * 
a disirir- utvO .*\c»t. e uuu\ i !> <u.i *. > the * kent: ami 

, NO", " O'VuWc o w M«v ' 0 A]> v i u >i m , Ov s " hema 

, v. i i * I 1 1 5 m ' U 

associated information being retained a; the server and indicating a second ^-'.r.vc 
docum.e&t different from and associated with the distributed a * s document, v server 
aoi mauon joneemiag im second, <. iikdiv" 
m\ it s wnona rakem 

1 e system >t claim 39, wherein the server comprises: 
< d> os , 'subcomponents; 
a - cos component that provides functionality across dynamically loaded 

methods, and 

<.<■> i ^ o \ t la < a i a «s control 

service providers. 

41 • The system of claim 39, further comprising: 
» <» \\<s ioasr tier c- nrpnsmg a cluster of document control servers, in chiding the 
server; 

\ > ' < h y ! t. r 1 ■> 'l 1 s v 1 1 I 

an admianuatien client; arid 

i i a „ a ee da • a a a net requests to the document control servers. 

* N , l< > , s t n ^ i 

v ^ ) if -a vkkUi i a u 

^ s k.f i» ^ io\u ( ! n ' m 'component 

being operable to translate first document per. Misn^a » u ' .a 

v * , 1 0 1 ! 1 <> » ; t i itO 

definition dmnav in response to ( request being received from the client 
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43 . The system of claim 39, wherein the server comprises a pemlssioas-broker 
server operable to obtain and send, in response to the request, a software pro gran) comprising 

effecting an aoiheoii canon procedure, and ! client rises the n > <. i t program 

t eat Tisei arid e< mtroi the action with respect to the see< > t. ^ 

e\r ;i v ^x!dc<,iaijcm-pmiiissioiisiafonnatiojiiass<^ > 

44. Ihe »> stem of claim 3l>\ wherein the <. t menuoaro 
server opembk to syachronfee offline access information with the cheat in response to the 

M I \ v i nisi * ! -i i is 

< i < h ! i > HJ t x n v ike 

in the third document, and the client allows access to the thud Joonrn 1 
user a<s a hk N < i j t s m. \nh >ep t aavi^ e 

j v < v 5« sons <% itr inspect to the third document based on document-- 

permissions adenosm-n associated with the third document. 

: \ m comprising: 

client means for contacting a server when an action is to be taken with respect to a 
ocally; and 

serve;- means for kiemdymg and relating information concerning a second electronic 
document different irons and associated with >< Ji <-> >' It*, docrusent * ;s to be 
s v v i i v. cctK>mc docammt with respect to fee action. 
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46 . The system of claim 45 , farther compri siag: 
server means for mapping first document-pemiissions m&rmation in a first permissions- 
i i u s > c r- 1 doum ! X 1 1 N s 

ekcfi-oaic document; and 

U ' i w m'V" sn^ i < , > 

) oi iik 1 > «. ■> 

v Miv defined m me second peoivissioiis-defiration format used by 

the client means. 
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FURTHER CONTINUED FROM f>CT/SSA/ Z$3 



The claims relate to subject matter for which no search is required 
according to Rule 39 PCI. Si van that the claims are formulated in terms 
- merely specify canrorp 
te.n- i u' f \ the search examiner could not establish 

any technical problem which might potenti <H.y ha caul red t 
step to overcome. Hence it was not possible- to >< out * \-:<-.m--: - 

it* of the art {.Art. 17(2) (a) (i) arid (ii) PCT; see PCT 
< ,< alines.. Chapter 9) . 
The problems which are addressed do not appear to require a .technical, 
but rather an admi ni strati ve/organi sati onal » or business, solution. The 
implementation of this solution may include the use of generic technical 
ffv,«ure , use do not interact to solve any overall technical 

<erely serve their well-known functions. 

The applicant's attention is drawn to the fact that claims relating to 
- of which no international search report has been 
-rd - r be toe subject of an international preliminary 
examination (Rule 66.1(e) PCT). The applicant is advised that the EPO 
policy when acting as an International Preliminary Examining Authority Is 
normally not to carry out a preliminary examination on matter which has 
not been searched. This is the case irrespective of whether or not the 
i - > sno receipt of the search report or during any 

Chapter Ii nrccedure. If the application proceeds into the regional phase 
before the EPO., the applicant is reminded that a search may be carried 

should the problems which led to the Article 17(2) declaration be 
overcome. 



